Class StandardSecurityHandler

    • Field Detail

      • LOG

        private static final org.apache.commons.logging.Log LOG
        Log instance.
      • FILTER

        public static final java.lang.String FILTER
        Type of security handler.
        See Also:
        Constant Field Values
      • PROTECTION_POLICY_CLASS

        public static final java.lang.Class<?> PROTECTION_POLICY_CLASS
        Protection policy class for this handler.
      • ENCRYPT_PADDING

        private static final byte[] ENCRYPT_PADDING
        Standard padding for encryption.
      • HASHES_2B

        private static final java.lang.String[] HASHES_2B
    • Constructor Detail

      • StandardSecurityHandler

        public StandardSecurityHandler()
        Constructor.
      • StandardSecurityHandler

        public StandardSecurityHandler​(StandardProtectionPolicy standardProtectionPolicy)
        Constructor used for encryption.
        Parameters:
        standardProtectionPolicy - The protection policy.
    • Method Detail

      • computeRevisionNumber

        private int computeRevisionNumber​(int version)
        Computes the revision version of the StandardSecurityHandler to use regarding the version number and the permissions bits set. See PDF Spec 1.6 p98
        Parameters:
        version - The version number.
        Returns:
        The computed revision number.
      • prepareForDecryption

        public void prepareForDecryption​(PDEncryption encryption,
                                         COSArray documentIDArray,
                                         DecryptionMaterial decryptionMaterial)
                                  throws java.io.IOException
        Prepares everything to decrypt the document. Only if decryption of single objects is needed this should be called.
        Specified by:
        prepareForDecryption in class SecurityHandler
        Parameters:
        encryption - encryption dictionary
        documentIDArray - document id
        decryptionMaterial - Information used to decrypt the document.
        Throws:
        InvalidPasswordException - If the password is incorrect.
        java.io.IOException - If there is an error accessing data.
      • getDocumentIDBytes

        private byte[] getDocumentIDBytes​(COSArray documentIDArray)
      • validatePerms

        private void validatePerms​(PDEncryption encryption,
                                   int dicPermissions,
                                   boolean encryptMetadata)
                            throws java.io.IOException
        Throws:
        java.io.IOException
      • prepareDocumentForEncryption

        public void prepareDocumentForEncryption​(PDDocument document)
                                          throws java.io.IOException
        Prepare document for encryption.
        Specified by:
        prepareDocumentForEncryption in class SecurityHandler
        Parameters:
        document - The document to encrypt.
        Throws:
        java.io.IOException - If there is an error accessing data.
      • prepareEncryptionDictRev6

        private void prepareEncryptionDictRev6​(java.lang.String ownerPassword,
                                               java.lang.String userPassword,
                                               PDEncryption encryptionDictionary,
                                               int permissionInt)
                                        throws java.io.IOException
        Throws:
        java.io.IOException
      • prepareEncryptionDictRev2345

        private void prepareEncryptionDictRev2345​(java.lang.String ownerPassword,
                                                  java.lang.String userPassword,
                                                  PDEncryption encryptionDictionary,
                                                  int permissionInt,
                                                  PDDocument document,
                                                  int revision,
                                                  int length)
                                           throws java.io.IOException
        Throws:
        java.io.IOException
      • prepareEncryptionDictAES

        private void prepareEncryptionDictAES​(PDEncryption encryptionDictionary,
                                              COSName aesVName)
      • isOwnerPassword

        public boolean isOwnerPassword​(byte[] ownerPassword,
                                       byte[] user,
                                       byte[] owner,
                                       int permissions,
                                       byte[] id,
                                       int encRevision,
                                       int keyLengthInBytes,
                                       boolean encryptMetadata)
                                throws java.io.IOException
        Check for owner password.
        Parameters:
        ownerPassword - The owner password.
        user - The u entry of the encryption dictionary.
        owner - The o entry of the encryption dictionary.
        permissions - The set of permissions on the document.
        id - The document id.
        encRevision - The encryption algorithm revision.
        keyLengthInBytes - The encryption key length in bytes.
        encryptMetadata - The encryption metadata
        Returns:
        True If the ownerPassword param is the owner password.
        Throws:
        java.io.IOException - If there is an error accessing data.
      • getUserPassword

        public byte[] getUserPassword​(byte[] ownerPassword,
                                      byte[] owner,
                                      int encRevision,
                                      int length)
                               throws java.io.IOException
        Get the user password based on the owner password.
        Parameters:
        ownerPassword - The plaintext owner password.
        owner - The o entry of the encryption dictionary.
        encRevision - The encryption revision number.
        length - The key length.
        Returns:
        The u entry of the encryption dictionary.
        Throws:
        java.io.IOException - If there is an error accessing data while generating the user password.
      • computeEncryptedKey

        public byte[] computeEncryptedKey​(byte[] password,
                                          byte[] o,
                                          byte[] u,
                                          byte[] oe,
                                          byte[] ue,
                                          int permissions,
                                          byte[] id,
                                          int encRevision,
                                          int keyLengthInBytes,
                                          boolean encryptMetadata,
                                          boolean isOwnerPassword)
                                   throws java.io.IOException
        Compute the encryption key.
        Parameters:
        password - The password to compute the encrypted key.
        o - The O entry of the encryption dictionary.
        u - The U entry of the encryption dictionary.
        oe - The OE entry of the encryption dictionary.
        ue - The UE entry of the encryption dictionary.
        permissions - The permissions for the document.
        id - The document id.
        encRevision - The revision of the encryption algorithm.
        keyLengthInBytes - The length of the encryption key in bytes.
        encryptMetadata - The encryption metadata
        isOwnerPassword - whether the password given is the owner password (for revision 6)
        Returns:
        The encrypted key bytes.
        Throws:
        java.io.IOException - If there is an error with encryption.
      • computeEncryptedKeyRev234

        private byte[] computeEncryptedKeyRev234​(byte[] password,
                                                 byte[] o,
                                                 int permissions,
                                                 byte[] id,
                                                 boolean encryptMetadata,
                                                 int length,
                                                 int encRevision)
      • computeEncryptedKeyRev56

        private byte[] computeEncryptedKeyRev56​(byte[] password,
                                                boolean isOwnerPassword,
                                                byte[] o,
                                                byte[] u,
                                                byte[] oe,
                                                byte[] ue,
                                                int encRevision)
                                         throws java.io.IOException
        Throws:
        java.io.IOException
      • computeUserPassword

        public byte[] computeUserPassword​(byte[] password,
                                          byte[] owner,
                                          int permissions,
                                          byte[] id,
                                          int encRevision,
                                          int keyLengthInBytes,
                                          boolean encryptMetadata)
                                   throws java.io.IOException
        This will compute the user password hash.
        Parameters:
        password - The plain text password.
        owner - The owner password hash.
        permissions - The document permissions.
        id - The document id.
        encRevision - The revision of the encryption.
        keyLengthInBytes - The length of the encryption key in bytes.
        encryptMetadata - The encryption metadata
        Returns:
        The user password.
        Throws:
        java.io.IOException - if the password could not be computed
      • computeOwnerPassword

        public byte[] computeOwnerPassword​(byte[] ownerPassword,
                                           byte[] userPassword,
                                           int encRevision,
                                           int length)
                                    throws java.io.IOException
        Compute the owner entry in the encryption dictionary.
        Parameters:
        ownerPassword - The plaintext owner password.
        userPassword - The plaintext user password.
        encRevision - The revision number of the encryption algorithm.
        length - The length of the encryption key.
        Returns:
        The o entry of the encryption dictionary.
        Throws:
        java.io.IOException - if the owner password could not be computed
      • computeRC4key

        private byte[] computeRC4key​(byte[] ownerPassword,
                                     int encRevision,
                                     int length)
      • truncateOrPad

        private byte[] truncateOrPad​(byte[] password)
        This will take the password and truncate or pad it as necessary.
        Parameters:
        password - The password to pad or truncate.
        Returns:
        The padded or truncated password.
      • isUserPassword

        public boolean isUserPassword​(byte[] password,
                                      byte[] user,
                                      byte[] owner,
                                      int permissions,
                                      byte[] id,
                                      int encRevision,
                                      int keyLengthInBytes,
                                      boolean encryptMetadata)
                               throws java.io.IOException
        Check if a plaintext password is the user password.
        Parameters:
        password - The plaintext password.
        user - The u entry of the encryption dictionary.
        owner - The o entry of the encryption dictionary.
        permissions - The permissions set in the PDF.
        id - The document id used for encryption.
        encRevision - The revision of the encryption algorithm.
        keyLengthInBytes - The length of the encryption key in bytes.
        encryptMetadata - The encryption metadata.
        Returns:
        true If the plaintext password is the user password.
        Throws:
        java.io.IOException - If there is an error accessing data.
      • isUserPassword234

        private boolean isUserPassword234​(byte[] password,
                                          byte[] user,
                                          byte[] owner,
                                          int permissions,
                                          byte[] id,
                                          int encRevision,
                                          int length,
                                          boolean encryptMetadata)
                                   throws java.io.IOException
        Throws:
        java.io.IOException
      • isUserPassword56

        private boolean isUserPassword56​(byte[] password,
                                         byte[] user,
                                         int encRevision)
                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • isUserPassword

        public boolean isUserPassword​(java.lang.String password,
                                      byte[] user,
                                      byte[] owner,
                                      int permissions,
                                      byte[] id,
                                      int encRevision,
                                      int keyLengthInBytes,
                                      boolean encryptMetadata)
                               throws java.io.IOException
        Check if a plaintext password is the user password.
        Parameters:
        password - The plaintext password.
        user - The u entry of the encryption dictionary.
        owner - The o entry of the encryption dictionary.
        permissions - The permissions set in the PDF.
        id - The document id used for encryption.
        encRevision - The revision of the encryption algorithm.
        keyLengthInBytes - The length of the encryption key in bytes.
        encryptMetadata - The encryption metadata
        Returns:
        true If the plaintext password is the user password.
        Throws:
        java.io.IOException - If there is an error accessing data.
      • isOwnerPassword

        public boolean isOwnerPassword​(java.lang.String password,
                                       byte[] user,
                                       byte[] owner,
                                       int permissions,
                                       byte[] id,
                                       int encRevision,
                                       int keyLengthInBytes,
                                       boolean encryptMetadata)
                                throws java.io.IOException
        Check for owner password.
        Parameters:
        password - The owner password.
        user - The u entry of the encryption dictionary.
        owner - The o entry of the encryption dictionary.
        permissions - The set of permissions on the document.
        id - The document id.
        encRevision - The encryption algorithm revision.
        keyLengthInBytes - The encryption key length in bytes.
        encryptMetadata - The encryption metadata
        Returns:
        True If the ownerPassword param is the owner password.
        Throws:
        java.io.IOException - If there is an error accessing data.
      • computeHash2A

        private byte[] computeHash2A​(byte[] password,
                                     byte[] salt,
                                     byte[] u)
                              throws java.io.IOException
        Throws:
        java.io.IOException
      • computeHash2B

        private static byte[] computeHash2B​(byte[] input,
                                            byte[] password,
                                            byte[] userKey)
                                     throws java.io.IOException
        Throws:
        java.io.IOException
      • computeSHA256

        private static byte[] computeSHA256​(byte[] input,
                                            byte[] password,
                                            byte[] userKey)
      • concat

        private static byte[] concat​(byte[] a,
                                     byte[] b)
      • concat

        private static byte[] concat​(byte[] a,
                                     byte[] b,
                                     byte[] c)
      • truncate127

        private static byte[] truncate127​(byte[] in)
      • logIfStrongEncryptionMissing

        private static void logIfStrongEncryptionMissing()